Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
F
F
Fetos2014-08-06 16:13:02
Network administration
Fetos, 2014-08-06 16:13:02

How to configure ACL between VLAN cisco 3750?

Dear, good evening!
For several days I have been struggling with the issue of ACL between Vlan on cisco 3750 equipment. There are 2 vlan, vlan = 10.0.1.0/24 and vlan2 = 10.0.2.0/24, routing is configured between them and traffic goes in both directions. There was a need to prohibit traffic from going from vlan2 to vlan, but access from vlan to vlan 2 should remain the same, i.e. complete. I know that this is somehow prohibited and allowed at the ACL level, but I can’t set it up in any way, basically the traffic disappears altogether. There is a lot of useful information on the Internet, but at the level of routers, but there is nothing special about switches. Could you tell me on which interface you need to hang up the ACL and how it will look like? Thank you very much in advance!

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
T
throughtheether, 2014-08-06
@Fetos

There was a need to prohibit traffic from going from vlan2 to vlan, but access from vlan to vlan 2 should remain the same, i.e. complete.
It must be understood that the ACL in this case (Catalyst 3750) is a stateless packet filter. Accordingly, it can only allow/prohibit forwarding packets from one interface to another. If you are sure that this is what you need, and if 3750 is doing the routing, then you should:
1) create an ACL:
ip access-list extended deny_vlan2_to_vlanX
 deny ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
 permit ip any any
2) hang ACL:
interface vlanX
ip access-group deny_vlan2_to_vlanX out

3) observe the result.
I know that this is somehow prohibited and allowed at the ACL level, but I can’t set it up in any way, basically the traffic disappears altogether.
It must be understood that if "access" from vlan X to vlan 2 implies any two-way protocol (that is, almost any), then there will be no "access" from vlan X to vlan 2.
In this case, a stateful firewall (which will highlight, for example, the beginning of a session) can help you, which, as far as I know, is not in catalyst 3750. In the case of using a protocol that uses TCP for "access", a variant with the established
keyword is possible .
ip access-list extended deny_vlan2_to_vlanX_variant2
 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255 established
 deny ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
 permit ip any any

Hang this ACL on the same vlanX interface in the same way as in the previous case.
The letter X marks your mysterious vlan everywhere with the prefix 10.0.1.0/24 (which is not 2).

Report
F
Fetos, 2014-08-07
@Fetos

Thank you very much for the help!

Similar questions
I
Ivan Antonov2016-01-13 15:36:08
How to give computers access to a site on a local network on XAMPP? 0Reply
P
Pavel Nikitin2016-01-14 10:32:31
How to connect to the internet from a virtual machine (proxmox)? 2Reply
G
George Soroka2016-01-14 14:46:25
How to set up your traffic inspection on Cisco ASA? SFR module capabilities? 0Reply
T
TAVro2013-02-24 20:31:57
VPN tunnel cisco 2Reply
N
Nikolay2016-01-16 02:17:57
Calculation of PDV for FE, how to count switches? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question